A lightweight, fast web security scanner that detects missing security headers and provides automated remediation suggestions.
β
Comprehensive Security Analysis - Scans 9 critical security headers
β‘ Lightning Fast - Concurrent scanning with configurable workers
π― Smart Scoring - Risk-based scoring system with severity levels
π Multiple Output Formats - Console, JSON, and CSV reports
π§ Ready-to-Use Fixes - Copy-paste HTTP header configurations
π Zero Configuration - Works out of the box
| Header | Severity | Purpose |
|---|---|---|
Content-Security-Policy |
π΄ Critical | Prevents XSS and code injection |
Strict-Transport-Security |
πΆ High | Enforces HTTPS connections |
X-Frame-Options |
π‘ Medium | Prevents clickjacking |
X-Content-Type-Options |
π‘ Medium | Prevents MIME sniffing |
Permissions-Policy |
π‘ Medium | Controls browser features |
Cross-Origin-Opener-Policy |
π‘ Medium | Isolates browsing contexts |
Cross-Origin-Embedder-Policy |
π‘ Medium | Prevents unauthorized embedding |
Referrer-Policy |
π΅ Low | Controls referrer information |
X-XSS-Protection |
π΅ Low | Legacy XSS protection |
# Clone the repository
git clone https://github.com/yourusername/headerguard.git
cd headerguard
# Install dependencies
pip install -r requirements.txt
# Make executable (optional)
chmod +x headerguard.py- Python 3.7 or higher
requestslibrary
pip install requests>=2.28.0
# Optional: Enhanced features
pip install colorama tqdm rich# Scan a single website
python headerguard.py https://example.com
# Scan multiple websites
python headerguard.py https://site1.com https://site2.com https://site3.com# Custom timeout and workers
python headerguard.py https://example.com --timeout 15 --workers 10
# JSON output to file
python headerguard.py https://example.com --format json --output report.json
# CSV report
python headerguard.py https://example.com --format csv --output security-audit.csv
# Custom User-Agent
python headerguard.py https://example.com --user-agent "MySecurityBot/1.0"positional arguments:
urls URLs to scan
options:
-h, --help show this help message and exit
--timeout TIMEOUT Request timeout in seconds (default: 10)
--format {console,json,csv}
Output format (default: console)
--output OUTPUT, -o OUTPUT
Output file (default: stdout)
--workers WORKERS Max concurrent workers (default: 5)
--user-agent USER_AGENT
Custom User-Agent string
================================================================================
HEADERGUARD SECURITY REPORT
================================================================================
Scan completed at: 2025-06-16 14:30:25
Total URLs scanned: 1
π΄ https://example.com
Score: 45/100 (HIGH risk)
Status: 200
Missing Security Headers:
π΄ CONTENT-SECURITY-POLICY (critical)
Description: Prevents XSS and code injection attacks
Fix: Content-Security-Policy: default-src 'self'; script-src 'self'; object-src 'none';
πΆ STRICT-TRANSPORT-SECURITY (high)
Description: Enforces secure HTTPS connections
Fix: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Present Security Headers:
β
X-FRAME-OPTIONS: SAMEORIGIN
β
X-CONTENT-TYPE-OPTIONS: nosniff
[
{
"url": "https://example.com",
"status_code": 200,
"scan_time": "2025-06-16T14:30:25.123456",
"overall_score": 45,
"risk_level": "high",
"checks": [
{
"header": "content-security-policy",
"present": false,
"value": null,
"severity": "critical",
"description": "Prevents XSS and code injection attacks",
"remediation": "Add: Content-Security-Policy: default-src 'self'; script-src 'self'; object-src 'none';"
}
]
}
]# Comprehensive security audit
python headerguard.py https://myapp.com --format json --output audit-2025.json# Generate CSV for compliance reports
python headerguard.py https://app1.com https://app2.com --format csv --output compliance.csv# Automated security checks in pipelines
python headerguard.py $STAGING_URL --format json | jq '.[] | select(.overall_score < 80)'# Scan multiple domains from file
cat domains.txt | xargs python headerguard.py --workers 20 --format csv --output bulk-scan.csv| Score Range | Risk Level | Description |
|---|---|---|
| 90-100 | π’ Low | Excellent security posture |
| 70-89 | π‘ Medium | Good security, minor improvements needed |
| 50-69 | πΆ High | Significant security gaps |
| 0-49 | π΄ Critical | Major security vulnerabilities |
# Add to server block
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none';" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;# Add to .htaccess or virtual host
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
Header always set Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none';"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-Content-Type-Options "nosniff"
Header always set Referrer-Policy "strict-origin-when-cross-origin"const helmet = require('helmet');
app.use(helmet({
contentSecurityPolicy: {
directives: {
defaultSrc: ["'self'"],
scriptSrc: ["'self'"],
objectSrc: ["'none'"]
}
},
hsts: {
maxAge: 31536000,
includeSubDomains: true,
preload: true
}
}));- Fork the repository
- Create a feature branch (
git checkout -b feature/amazing-feature) - Commit your changes (
git commit -m 'Add amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
# Install development dependencies
pip install -r requirements.txt pytest black flake8 mypy
# Run tests
pytest
# Code formatting
black headerguard.py
# Linting
flake8 headerguard.py
# Type checking
mypy headerguard.py- Custom security header configurations
- Integration with security databases (CVE, OWASP)
- Historical scanning and trend analysis
- Docker container support
- Web dashboard interface
- Slack/Teams notifications
- Plugin system for custom checks
This project is licensed under the MIT License - see the LICENSE file for details.